Privacy Policy

Keeping your information safe and private is incredibly important to us at Roots.  Roots is nothing without the wonderful people who make up the community, so your comfort and confidence are things we value very highly.  We are happy to share with you the ways that we are doing that with your personal data.

References to “we”, “us”, or “our” in this Privacy Policy are references to Roots: Globalscope Edinburgh, a registered Scottish Charitable Incorporated Organisation SC044374.

 

Data we collect

We collect your personal information when you opt to receive information about what’s on at Roots, get involved in the community, or participate in certain events.  This information may include your name, email address, physical address, phone number, Facebook name, and Instagram handle.

We use a third-party provider, MailChimp, to deliver our weekly “What’s on” email.  For more information, please see MailChimp’s privacy policy.  You can unsubscribe from these emails at any time by clicking the unsubscribe link at the bottom of the emails or by emailing whatson@rootsedinburgh.org.uk directly.

Because we are committed to safeguarding everyone who is a part of Roots, we also act in accordance with laws and best practices in regards to first aid and caring for mental health related situations.  That means that when necessary, additional information may be recorded in a written document detailing an incident and the response.  First aid records are kept in a designated book in a locked cabinet in the Roots office and mental health first aid documents are kept in a locked box accessible only to the designated safeguarder and the Team Leader.

 

How we use the information

Your personal information will be used to contact you in the ways that you have consented to be contacted such as weekly emails or with information regarding a specific event.  We may also use contact details to invite you to additional events or activities with the Roots community as a whole, in smaller groups, or as individuals from the Roots team.

We will never distribute your information to any other party or organisation without your knowledge or consent.  Roots sends updates and other mailings to financial supporters of the charity, but your personal data will not be included without your permission.

 

Accessing your personal information

If for any reason, you would like us to show you, correct, update, or delete the personal information that we have.  Email us at info@rootsedinburgh.org.uk.

 

Finally…

This privacy policy will be reviewed and updated from time to time, so please check it periodically.

And now for the legal stuff

GENERAL PRIVACY NOTICE

1. Who we are

We are Globalscope Edinburgh, a Scottish Charitable Incorporated Organisation (SC044374).

We are a data controller for the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679) and related data protection legislation.

2. How to contact us

If you have any questions about this privacy notice or our data protection policies generally, please contact us:
By post: 9 South College Street, Edinburgh, EH9 9AA, United Kingdom.
By email: info@rootsedinburgh.org.uk
By phone: 0131 668 8595

3. Purpose of the Privacy Notice

3.1 We are committed to protecting your personal data and your privacy.

This Privacy Notice sets out the basis on which any personal data that you provide to us or that we obtain from a third party will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

3.2 Before we process your personal data, we are obliged to inform you of who we are, why we need to process your personal data, what we will do with your personal data and with whom we may share your personal data.

3.3 It is important that you read this Privacy Notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. Any other privacy notice or fair processing notice will supplement (not override) this Privacy Notice.

3.4 You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

3.5 This Privacy Notice was last updated on 16 June 2018.

4. To whom does this Privacy Notice apply?

This Privacy Notice applies to any individual whose personal data is obtained by Roots: Globalscope Edinburgh as set out in the table in the Schedule, including those individuals who visit our website located at http://rootsedinburgh.org.uk/ (“Website”), or who contact us by post, telephone, e-mail or other means (including other electronic means), or who donate to us or who participate in any of our activities or events.

5. About the personal data we collect and hold

The table set out in the Schedule summarises the personal data we collect and hold, how we use it (our processing purposes) and why we use it (the lawful bases of processing).

We seek to ensure that our personal data collection and processing is always proportionate. We will notify you of any changes to the categories of personal data we collect or to the purposes for which we collect and process any personal data.

6. Information about our Website

6.1 Our Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and we are not responsible for their privacy statements. When you leave our Website, we encourage you to read the privacy notice of every website you visit.

6.2 Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

6.3 You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the Website may become inaccessible or not function properly.

7. How do we collect your personal data?

7.1 Automatically: in respect of users of our Website only, we may obtain personal data as you browse our Website relating to your browsing patterns and technical data about the equipment you are using to access the Website. This technical data is automatically collected using cookies, and other similar technologies.

7.2 Directly from you:

7.2.1 identity, contact, financial, transaction, social media and similar data is provided directly by you when you contact us by telephone, e-mail, post or otherwise, fill out any forms we provide to you, or where you provide a donation; and

7.2.2 special category personal data such as religious beliefs and health data where you choose to provide this data to us.

7.3 From third parties or public sources:

7.3.1 we may obtain identity and contact details from publicly available sources such as Companies House or other organisations’ websites. This applies in particular in relation to donors and potential donors and to business contacts; and

7.3.2 we may obtain contact, financial and transaction data from providers of technical, payment and delivery services.

8. Marketing

8.1 We would like to send marketing information (generally about our events and activities) to our donors and to our contacts who may be potential donors in order to provide information about our charitable aims. We also would like to seek new donations from our donors and potential donors from time to time.

8.2 We would like to send marketing information to students who may be interested in our events and activities.

8.3 Where you have previously provided a donation to us, we may contact you from time to time for the purpose of providing you with appropriate marketing communications on the basis of our legitimate interests in direct marketing. We will not contact you for these purposes if you have at any point opted out of receiving such communications from us.

8.4 Where you are a potential donor or any other business contact, you will only receive marketing communications from us if you have consented to, and not at any point opted out from, receiving such communications from us.

8.5 Where you have previously participated in one of our events or other activities, we may contact you from time to time for the purpose of providing you with appropriate marketing communications on the basis of our legitimate interests in direct marketing. We will not contact you for these purposes if you have at any point opted out of receiving such communications from us.

8.6 Where you have not engaged in any activity or event with us, you will only receive marketing communications from us if you have consented to, and not at any point opted out from, receiving such communications from us.

8.7 Opting out from receiving marketing communications from us is easy and you may do so at any time by contacting us using the details above. We will process your request to be opted out of marketing within 30 days of receipt.

8.8 Where you opt out of receiving these marketing communications, we may still process your personal data for other required purposes as specified in this Privacy Notice.

8.9 We will not sell or transfer your personal data to any other organisation for the purposes of their direct marketing.

9. With whom do we share your personal data?

9.1 There may be circumstances in which we may also need to share your personal data with certain third parties. The third parties to which we may transfer your personal data include:

9.1.1 our accountants and auditors for the purpose of preparing management or statutory accounts;

9.1.2 any medical professional, or family member/guardian where we have reason to believe the processing of your special category personal data is necessary to protect your vital interests and you are not capable of giving consent;

9.1.3 legal advisors for the purpose of establishing, exercising or defending our legal rights;

9.1.4 any relevant regulatory authority, including HM Revenue & Customs, the Office of Scottish Charities Regulator, Companies House, courts or tribunals; or

9.1.5 any third party acquiring all or a substantial part of our assets (where such assets include your personal data).

10. International transfers

10.1 We do not transfer personal data outside of the European Economic Area except with regard to customer information which is processed and held within the United States by MailChimp and Google (we use G Suite). These companies comply with the EU-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union to the United States.

10.2 We may share your personal data with Christian Missionary Fellowship International for the purpose of communication with current and potential financial supporters, but only where you have provided your consent to such processing of your personal data.

11. Automated-decision making or profiling

We do not use any automated-decision making or profiling in respect of your personal data.

12. Accuracy of your data

It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes during your relationship with us.

13. How long do we retain your personal data?

13.1 We will not retain your personal data for longer than is necessary for the purposes for which the personal data is processed. This means that your data will only be retained for as long as it is still required to provide you with services or is necessary for legal reasons.

13.2 Generally speaking, we will usually retain your personal data for six (6) years following expiry of any contracts or arrangements between us, unless we are obliged to retain your personal data for a longer period as a result of an overriding legal obligation or in order to establish, defend or exercise legal rights.

13.3 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Using these criteria, we regularly review the personal data which we hold and the purposes for which it is held and processed.

13.4 When we determine that personal data can no longer be retained (including where you exercise a right of erasure (see below for further details)), we ensure that this data is securely deleted or destroyed.

13.5 For more details about our retention periods, please contact us using the details above.

14. Data security

14.1 We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

14.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and the Information
Commissioner’s Office of a breach where we are legally required to do so.

15. Your rights

15.1 Your personal data is protected by legal rights, which include your rights to:

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: if you want us to establish the data’s accuracy; where our use of the data is unlawful but you do not want us to erase it; where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party (data portability). We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

15.2 If you wish to exercise any of these rights, please contact us using the details above.

15.3 We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

15.4 You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

15.5 You also have the right to complain to the Information Commissioner’s Office, which regulates the processing of personal data, about how we are processing your personal data.

Schedule

About the information we collect and hold

Whose personal data? What personal data do we collect? How do we use your personal data? Why do we use your personal data?
Website users
– any visitor to our Website (http://rootsedinburgh.org.uk/)
Technical data
(including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Website)Usage data(including information about your visit and how you use our
Website)
To improve the user experience and administer the functionality of our website. Legitimate interests: to maintain network security and Website relevance for visitors to our Website
Students
– any students who are interested in attending any of our events or activities- any students who attend any of our events or activities
Identity data

(including name, student ID and social media handles)

Contact data

(including home address, email address and telephone numbers)

Special category data

(such as religious beliefs and health data)

To register you for any of our activities and events.

To manage our relationship with you and provide you with information about our organisation.

To notify you about changes to our terms and conditions or privacy notice.

Legitimate interests: to respond to your correspondence with us, for us to provide our services to you and for us to keep our records up to date.Necessary to comply with a legal obligation. With regard to special category data, in the course of our legitimate activities as a religious organisation with appropriate safeguards by our organisation on the condition that the processing relates solely to persons who have regular contact with our organisation in connection with our charitable aims and purposes, and that the special category data are not disclosed outside our organisation without your consent (unless we reasonably believe we are protecting your vital interests).With your express consent with regard to special category data where we have requested such consent and you have provided it.
Donors
– individual donors (current and former)
– representatives of our corporate donors (current and former)
Identity data

(including full name and title)

Contact data

(including home address, email address and telephone numbers, and sometimes business address, business email address and business telephone numbers)

Financial data

(including bank account details and payment details)

Transaction data

(including details about any current and previous donations to our organisation)

To seek and receive donations from you or from your organisation. Legitimate interests: to seek sufficient finance to pursue our charitable aims.
Business Contacts
actual or prospective business contacts, including:
– staff at our third party suppliers,
– individuals or representatives of organisations who have expressed an interest in our business, and
– anyone else with whom Globalscope Edinburgh has contact in a business context
Identity data

(including full name and title)

Contact data

(including business address, business email address and business telephone numbers)

To seek or maintain business relationships (including maintaining contacts at educational bodies and maintaining contacts with potential donors). To assess the suitability of any supplier or other business relationship, including ongoing monitoring of a relationship.To negotiate and/or manage the supply of goods or services to us by you or your organisation. Legitimate interest: to pursue our charitable aims and to seek supply arrangements appropriate for our business.To perform a contract with you or take steps to enter into such a contract.
All data subjects All personal data To comply with a legal obligations (such as any legislation or a court order).To protect our privacy, property or safety or those of a third party and your rights do not override such interests.To establish, exercise or defend our legal rights. To comply with a legal obligation.

Legitimate interests: to assert our legal rights.

* We do not seek to obtain any personal data relating to any children.